Reputation: 2759
When to use passport.js?
I've been developing in node for the last months to try and understand the framework, and now I'm actually going to try to make an app for multiple devices.
I want to use a node project as the api, which will handle all post and get requests.
In another node project I would have a react web interface communicating with the node api with ajax and socket.io.
In a mobile android/ios or cordova I would have the mobile interface communicating as above.
Now that I've explained the background of my question I will describe my problem.
For now I have a node project that uses bcrypt to encrypt passwords for registration and login. I also use passport to establish a session and for flash messages.
router.post('/login',
passport.authenticate('local', {successRedirect:'/', failureRedirect:'/users/login',failureFlash: true}),
function(req, res) {
res.redirect('/');
});
passport.use(new LocalStrategy(
function(username, password, done) {
db_functions.getUserByEmail(username,function(error, results) {
if (error) throw error;
bcrypt.compare(password, results[0].password, function(err, res) {
if(res === true){
return done(null,results[0])
} else {
return done(null, false, {message: 'Invalid password'})
}
});
})
}));
passport.serializeUser(function(user, done) {
done(null, user.id);
});
passport.deserializeUser(function(id, done) {
console.log(id)
db_functions.getUserById(id,function(error, results) {
if (error) throw error;
done(error,results[0])
})
});
I read here http://passportjs.org/docs/overview, that if I'm going to use my node project as an API, I should disable sessions and I will therefore use:
app.get('/api/users/me',
passport.authenticate('basic', { session: false }),
function(req, res) {
res.json({ id: req.user.id, username: req.user.username });
});
Now, that I have sessions disabled, why exactly should I keep using passport? I use bcrypt to register and check for password match when a user logs in. If I do remove it, does that mean that each request that comes from a web browser or a mobile device would have to also transmit the user and hashed password?
Upvotes: 2
Views: 5065
Answers (1)
Reputation: 193
passport is an authentication library and sessions are a part of authorization — a different step in the process. You could use passport to issue a token such as a jsonwebtoken, instead of using sessions with a different library to verify those, such as ejwt, or create a middleware function to validate these tokens on routes which require authentication
passport is also extensible with a lot of plugins already developed to allow many forms of authentication to issue your authorization method.
You don't have to use it, it just makes it a bit easier. bcrypt, on the other hand, you probably have to use.
Upvotes: 7
Related Questions
- What does passport.js do and why we need it?
- How Passport Strategy works behind the Scene
- how to use passport.js in a proper way
- Questions about how passport.js works. Specifically about user.id
- Hello.js vs Passport.js?
- How to properly use Passport.js?
- Node.js + Express.js + Passport.js - i need some advice how to structure them
- Which passport authentication to use
- Passport for authentication in Node JS
- Node.js theory - Node.js, Express.js, Passport.js